Open meztez opened 10 months ago
meztez
commented
10 months ago I'm thinking using the options package would maybe open up an attack vector, because of this line here: https://github.com/dgkf/options/blob/a2c110229f844de49b3dbb56bb0a19542b92899a/R/envvars.R#L168
I'm going to ice this one for now.
schloerke
commented
10 months ago @meztez Currently, envvar_eval_or_raw is a default parameter to options::option_spec(). We could easily supply a safe version when defining the plumber option spec and we'd be fine.
schloerke
commented
10 months ago The option_spec() handles the extra args supplied to define_option.character().
So we could use a helper function to define the options (setting the envvar_fn value for every option):
# Copied from https://github.com/dgkf/options/blob/a2c1102/R/envvars.R#L1-L4
# Sets up pretty printing
fn_with_desc <- function(f, desc) {
attr(f, "desc") <- desc
f
}
# Keep sys env var as raw string only
plumber_envvar_raw <- fn_with_desc(
function(raw, name, ...) {
raw
},
"string"
)
define_plumber_option <- function(...) {
options::define_option(
...,
envvar_fn = plumber_envvar_raw
)
}# Ex usage
define_plumber_option(
option = "port",
default = NULL,
desc = paste(
"Port Plumber will attempt to use to start http server.",
"If the port is already in use, server will not be able to start."
)
)Noted, still have to figure out what to do with options_plumber, return values. Probably do not want to change the behavior. Options does not have an opt<- equivalent yet. Integrating httpproblems at the moment.
Pending a doc ordering issue in options package.
https://github.com/dgkf/options/pull/7
PR task list:
devtools::document()